Re: [f2fs-dev] [PATCH v2] f2fs: fix to disallow getting inner inode via f2fs_iget()

Mon, 12 Sep 2022 18:27:40 -0700 

On 2022/9/12 23:39, Jaegeuk Kim wrote:

On 09/08, Chao Yu wrote:

On 2022/9/8 10:19, Jaegeuk Kim wrote:

On 09/08, Chao Yu wrote:

On 2022/9/8 10:02, Jaegeuk Kim wrote:

On 08/31, Chao Yu wrote:

From: Chao Yu <chao...@oppo.com>

Introduce f2fs_iget_inner() for f2fs_fill_super() to get inner inode:
meta inode, node inode or compressed inode, and add f2fs_check_nid_range()
in f2fs_iget() to avoid getting inner inode from external interfaces.


So, we don't want to check the range of inner inode numbers? What'd be the
way to check it's okay?


For node_ino, meta_ino, root_ino, we have checked them in 
sanity_check_raw_super()
as below:

        /* check reserved ino info */
        if (le32_to_cpu(raw_super->node_ino) != 1 ||
                le32_to_cpu(raw_super->meta_ino) != 2 ||
                le32_to_cpu(raw_super->root_ino) != 3) {
                f2fs_info(sbi, "Invalid Fs Meta Ino: node(%u) meta(%u) 
root(%u)",
                          le32_to_cpu(raw_super->node_ino),
                          le32_to_cpu(raw_super->meta_ino),
                          le32_to_cpu(raw_super->root_ino));
                return -EFSCORRUPTED;
        }

compressed_ino should always be NM_I(sbi)->max_nid, it can be checked in
f2fs_init_compress_inode()?


Hmm, I'm not sure whether we really need this patch, since it'd look better
to handle all the iget with single f2fs_iget?


Well, the main concern is previously f2fs_iget() won't check validation for 
inner
inode due to it will skip do_read_inode() - f2fs_check_nid_range(), so that in a
fuzzed image, caller may pass inner ino into f2fs_iget(), result in incorrect 
use
of inner inode. So I add f2fs_check_nid_range() in prior to f2fs_iget_inner() in
f2fs_iget() as below to detect and avoid this case.


FWIW, sanity_check_raw_super() checked the inode numbers.


However, previously, f2fs_iget() will return inner inode to caller directly, if 
caller
passes meta_ino, node_ino or compress_ino to f2fs_iget()?

Thanks,






+struct inode *f2fs_iget(struct super_block *sb, unsigned long ino)
+{
+       int ret;
+
+       ret = f2fs_check_nid_range(F2FS_SB(sb), ino);
+       if (ret)
+               return ERR_PTR(ret);
+
+       return f2fs_iget_inner(sb, ino);



_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Reply via email to